mailing list archives
Re: "run as" local denial-of-service enables administrative account processes to be killed
From: "James C. Slora Jr." <james.slora () phra com>
Date: Tue, 26 Jun 2007 10:30:18 -0400
Eitan Caspi wrote Saturday, June 23, 2007 4:45 PM
Summary: While a user, at any security membership level, is logged
in locally, using the "run as" feature, it can kill all of the
processes running under the user who initiated the "run as"
feature, even if the
initiating user has a security membership level higher than the
user initiating the killing action under "run as". The kill is
performed using the taskkill.exe application which is built into
It's true Microsoft does not display a unified front on such security
issues, and they sometimes have conflicting advice on their site.
But Runas is more useful for escalating privilege than for downgrading
Anything running on your interactive desktop can interact with anything
else running on it, regardless of the security context that started each
app. So privilege-lowering conveniences like Runas or even desktop VMs
are absolutely subject to the possibility of cross-context interaction.
There are security context checks built into many functions, and you did
find one that does not have things as locked down as they should be, but
these locks and checks are vector-specific and do not address the basic
exploit potential directly.
I don't see a lot of exploits of this potential, but it is designed into
Windows and needs to be there for you to be able to interact with the
apps yourself. So running an interactive sandbox on a trusted system
will inherently increase your risks.
See KB327618 for more info.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/